Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article shows you how to configure Azure MCP Server to authenticate against a sovereign cloud instead of the Azure public cloud. For example, use these steps when your subscription is in Azure US Government or Azure operated by 21Vianet Cloud (Azure in China), or when you need to provide a custom authority host. For more background about Azure sovereign cloud offerings, see What are sovereign clouds?.
Prerequisites
- Access to an Azure subscription in Azure US Government or Azure in China.
- A client or local setup that can start Azure MCP Server. For setup options, see Get started with the Azure MCP Server.
- At least one supported local authentication tool, such as Azure CLI, Azure PowerShell, or Azure Developer CLI.
Supported sovereign clouds
Azure MCP Server recognizes the following cloud names and maps them to the correct Microsoft Entra authority host.
| Cloud | Authority host | Supported aliases |
|---|---|---|
| Azure Public Cloud | https://login.microsoftonline.com |
AzureCloud, AzurePublicCloud, Public, AzurePublic |
| Azure US Government | https://login.microsoftonline.us |
AzureUSGovernment, USGov, AzureUSGovernmentCloud, USGovernment |
| Azure in China | https://login.chinacloudapi.cn |
AzureChinaCloud, China, AzureChina |
Aliases are case-insensitive.
Configure the cloud for Azure MCP Server
You can set the cloud either in the server arguments or through configuration. If you specify the cloud in more than one place, Azure MCP Server resolves the value in this order.
| Priority | Source | Setting |
|---|---|---|
| 1 | Command line | --cloud |
| 2 | .NET configuration providers | AZURE_CLOUD, azure_cloud, cloud, Cloud |
| 3 | Environment variable fallback | AZURE_CLOUD |
| Default | Fallback | AzurePublicCloud |
Configure using a server argument
If your MCP client starts Azure MCP Server for you, add --cloud to the server arguments.
{
"servers": {
"Azure MCP Server": {
"type": "stdio",
"command": "npx",
"args": [
"-y",
"@azure/mcp@latest",
"server",
"start",
"--cloud",
"AzureUSGovernment"
]
}
}
}
Replace AzureUSGovernment with AzureChinaCloud when you connect to the Azure in China.
Configure using environment variables
If you start Azure MCP Server from a shell, or if your MCP client supports environment variables, set AZURE_CLOUD with the appropriate value before starting the server.
$env:AZURE_CLOUD = "AzureUSGovernment"
azmcp server start
Authenticate your local tools to the same cloud
Before you start Azure MCP Server, sign in to the same sovereign cloud in the local tools that Azure MCP Server can use for authentication.
Use Azure CLI when your workflow relies on az login or the Azure CLI credential.
az cloud set --name AzureUSGovernment
az login
For Azure in China, replace AzureUSGovernment with AzureChinaCloud.
Configure a self-hosted remote server
If you deploy Azure MCP Server as a remote MCP server, make sure the host environment is configured for the target sovereign cloud before you publish the endpoint.
Set these environment variables on the host or container:
AZURE_CLOUD.AzureAd__ClientCredentials__0__TokenExchangeUrl.
If you use one of the Microsoft-provided Azure Container Apps templates, this value is set for you. The template derives the correct value from the target cloud before it publishes the remote endpoint. For examples, see the Foundry managed identity template, the Copilot Studio managed identity template, and the on-behalf-of template.
If you configure the remote server manually, set AzureAd__ClientCredentials__0__TokenExchangeUrl to the token exchange audience for your cloud:
| Cloud | Value |
|---|---|
| Azure Public Cloud | api://AzureADTokenExchange |
| Azure US Government | api://AzureADTokenExchangeUSGov |
| Azure in China | api://AzureADTokenExchangeChina |
For template-based deployments, review the upstream Azure MCP Server azd templates if you want to confirm the generated host or container settings before you publish the remote endpoint.
Verify the connection
Restart your MCP client after you change the cloud configuration.
Run a simple prompt that requires Azure context, such as
List my resource groups.If the request fails, verify that your local tools are authenticated to the same sovereign cloud and tenant as the Azure subscription you want to use.
Troubleshoot sovereign cloud configuration
If authentication or discovery fails, start with these checks.
Verify the cloud configuration. Confirm that the cloud name or authority host is correct.
Check local authentication. Make sure you authenticated the local toolchain to the correct cloud.
Verify the tenant. Confirm that the tenant belongs to the sovereign cloud subscription you want to use. For example, run
az account show --query tenantId -o tsv.Check network connectivity. Confirm that you can reach the correct authority host for your cloud.
- Azure US Government:
https://login.microsoftonline.us - Azure in China:
https://login.chinacloudapi.cn
- Azure US Government:
For remote deployments, confirm that both
AZURE_CLOUDandAzureAd__ClientCredentials__0__TokenExchangeUrlare set correctly.
Common error messages
Use the following table to map common failures to likely causes.
| Error | Likely cause | Resolution |
|---|---|---|
Authentication failed |
Your local tool is still signed in to the wrong cloud, or not signed in at all. | Reauthenticate with the correct cloud by using az login, Connect-AzAccount, or azd auth login. |
Cannot connect to authority host |
The cloud value or custom authority host URL is invalid, or the endpoint is unreachable. | Verify the cloud name, custom authority host, and network connectivity. |
Invalid tenant |
The tenant doesn't match the sovereign cloud subscription. | Confirm the tenant ID and sign in again with the correct tenant and cloud. |
The primary access token is from the wrong issuer |
The token was issued for a different tenant than the subscription expects. | Check the active tenant, then restart the client and Azure MCP Server after switching to the correct tenant. |
Verify the effective configuration
If the problem persists, start the server with debug logging and confirm that Azure MCP Server is using the expected authority host.
azmcp server start --cloud AzureUSGovernment --log-level Debug
The debug output should show the authority host being used for authentication.
Additional checks for enterprise environments
If you work behind enterprise network controls, also verify the following items.
- Firewall or proxy rules are not blocking outbound traffic to the sovereign cloud authority host and Azure Resource Manager endpoint.
- The correct account is being selected when multiple credentials are available.
- Private endpoint resources are reachable through VPN, ExpressRoute, or another approved network path.
If you still have problems, see the Azure MCP Server troubleshooting guide.